WRLA  2004  Preliminary  Version 


Representing  the  MSR  Cryptoprotocol 
Specification  Language  in  an  Extension  of 
Rewriting  Logic  with  Dependent  Types 

Iliano  Cervesato^ 

ITT  Industries,  Inc.,  Advanced  Engineering  and  Sciences  Division 
Alexandria,  VA  22303,  USA 

Mark-Oliver  Stehr^ 

University  of  Illinois  at  Urbana-Champaign, 

Computer  Science  Department,  Urbana,  IL  61801,  USA 


Abstract 

This  paper  presents  a  shallow  and  hence  efficient  embedding  of  the  security  protocol  spec¬ 
ification  language  MSR  into  rewriting  logic  with  dependent  types,  an  instance  of  the  open 
calculus  of  constructions  which  integrates  key  concepts  from  equational  logic,  rewriting 
logic,  and  type  theory.  MSR  is  based  on  a  form  of  first-order  multiset  rewriting  extended 
with  existential  name  generation  and  a  flexible  type  infrastructure  centered  on  dependent 
types  with  subsorting.  This  encoding  is  intended  to  serve  as  the  basis  for  implementing 
an  MSR  specification  and  analysis  environment  using  existing  first-order  rewriting  engines 
such  as  Maude. 


1  Introduction 

MSR  originated  as  a  simple  logic-oriented  language  aimed  at  investigating  the  de¬ 
cidability  of  protocol  analysis  under  a  variety  of  assumptions  ® .  It  evolved  into 
a  precise,  powerful,  flexible,  and  still  relatively  simple  framework  for  the  specifi¬ 
cation  of  complex  cryptographic  protocols,  possibly  structured  as  a  collection  of 
coordinated  subprotocols  ll3l5i.  It  uses  strongly-typed  multiset  rewriting  rules  over 
first-order  atomic  formulas  to  express  protocol  actions  and  relies  on  a  form  of  ex¬ 
istential  quantification  to  symbolically  model  the  generation  of  nonces  and  other 
fresh  data.  Dependent  types  are  a  useful  abstraction  mechanism  not  available  in 
other  languages.  For  instance,  the  dependency  of  public/private  keys  on  their  owner 
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Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
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Figure  1 .  Architecture  of  the  Embedding  of  MSR  into  Rewriting  Logic 


can  be  naturally  expressed  at  the  type  level.  Finally,  MSR  supports  an  array  of  use¬ 
ful  static  checks  that  include  type-checking  0]  and  data  access  verification  [0. 

This  work  outlines  an  encoding  of  the  core  of  MSR  into  rewriting  logic  (RWL), 
to  be  more  precise  into  its  extension  with  dependent  types  (RWLDT).  Rewriting 
logic  Ifm  draws  on  the  observation  that  many  paradigms  can  naturally  be  captured 
by  conditional  rewriting  modulo  an  underlying  equational  theory,  the  theory  of 
multisets  being  a  particularly  important  case  for  the  specification  of  concurrent 
systems  and  protocols.  Recently  a  combination  of  equational  logic  and  rewriting 
logic  with  dependent  types  has  been  studied  in  lfl4l  under  the  name  open  calculus 
of  constructions  (OCC).  In  this  paper  we  show  that  a  restricted  predicative  instance 
of  OCC,  that  we  call  rewriting  logic  with  dependent  types  (RWLDT),  can  be  used  to 
represent  typed  MSR  specifications  in  a  way  which  preserves  all  type  information. 
RWLDT  does  not  natively  support  the  expression  of  existential  name  generation: 
our  encoding  implements  it  with  counters.  Moreover,  ensuring  the  executability  of 
the  resulting  code  required  some  care. 

Composing  the  mapping  from  MSR  into  RWLDT  with  a  mapping  from  RWLDT 
into  RWL,  which  has  already  been  implemented  as  part  of  the  OCC  prototype  l!T4l. 
we  obtain  an  encoding  from  MSR  into  RWL,  which  can  serve  as  the  basis  of  an  ex¬ 
ecution  environment  for  MSR  in  a  RWL-based  language  such  as  Maude  [0.  This 
two-level  approach,  which  is  summarized  in  Figure  [T|  has  some  advantages  over  a 
direct  mapping  into  RWL.  The  first  is  modularity  and  separation  of  concerns:  the 
mapping  from  MSR  into  RWLDT  is  only  concerned  with  the  dynamics  (given  by 
the  rules)  but  preserves  the  static  part  (given  by  declarations,  types,  and  terms).  The 
second  advantage  is  that  RWLDT  seems  to  be  the  right  level  for  user  interaction, 
because  terms  and  types  closely  correspond  to  those  of  MSR.  Finally,  the  preser¬ 
vation  of  types  and  the  fact  that  RWLDT  is  a  sub-logic  of  OCC  provides  suitable 
level  of  abstraction  for  formal  reasoning,  a  possibility  that  is  not  the  subject  of  this 
paper,  but  that  we  hope  to  explore  in  the  future. 

This  work  serves  as  the  basis  for  a  forthcoming  prototype  of  MSR,  which  will 
eventually  run  on  top  of  Maude  0.  The  linguistic  affinity  between  MSR  and 
RWLDT  allow  for  a  much  simpler  construction  than  a  direct  implementation.  Map¬ 
ping  MSR  into  the  popular  CAPSL  Intermediate  Language  ifTOl  would  have  been 
more  difficult,  because  MSR  has  a  much  richer  typing  infrastructure  than  CIL. 

The  remainder  of  this  paper  is  organized  as  follows:  We  introduce  MSR  and 
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RWLDT  in  Sections |3]and|4j  respectively.  In  Section|5]we  define  the  mapping  from 
MSR  into  RWLDT,  state  its  key  properties,  and  outline  some  simple  optimizations. 
It  is  applied  to  our  running  example,  the  Otway-Rees  protocol,  in  Section  [6j  We 
conclude  this  paper  with  a  discussion  of  limitations,  implementation  aspects,  and 
possible  extensions  of  our  approach.  First,  some  notation. 


2  Notation 

We  use  []  to  denote  the  empty  list  and  a  comma  to  denote  list  concatenation.  We 
write  identifiers  ranging  over  lists  in  bold,  and  indicate  their  length  with  a  super¬ 
script.  Therefore,  Xn  denotes  a  list  of  n  elements.  We  will  generally  omit  the 
length  information  when  irrelevant  or  easily  deducible  from  the  context.  Occasion¬ 
ally,  we  write  \X\  for  the  length  of  a  list  X.  We  write  X,  (or  Xr-  )  for  the  z-th 
element  of  X .  We  abbreviate  constructions  over  all  elements  in  a  list  as  construc¬ 
tions  over  the  list  itself:  for  example,  we  may  write  ( M  Nn)  for  (M  N 1 . . .  Nn), 
and  VXn  :  Un  for  VXi  VXn  :  U  n. 


3  The  MSR  Cryptoprotocol  Specification  Language 

The  syntax  of  instances  of  MSR  tailored  to  specific  security  protocols  has  been  pre¬ 
sented  in  05).  Here,  we  will  instead  concentrate  on  a  more  abstract  syntax,  cur¬ 
rently  undergoing  formalization  in  Q,  which  allows  the  user  to  declare  operators 
such  as  message  concatenation  and  encryption  rather  than  having  them  hard-coded 
in  the  language.  The  core  of  the  syntax  of  MSR  is  given  in  the  following  table: 


Terms 

M,N  : 

:=  X  |  M  N 

Types 

T  : 

:=  M  |  state  |  princ  |  msg  j  {A  :  T}Tr 

Kinds 

K  : 

:=  type  |  {X  :  T}K 

Contexts 

V  : 

:=  •  |  V,X  :  K  j  V,X  :  T 

States 

S  : 

:=  •  S,M 

Rules 

P  ■ 

:=  RULE  j  :  VX  :  U .  (S  — >  3Y  :  V .  S') 

Roles 

V  : 

:=  role  i  :  VP  :  princ  .3 L  :  T  .  p 

ROLE  i  :  FOR  P  :  princ  .3 L  :  T .  p 

MSR  is  based  on  first-order  terms,  that  for  simplicity  we  limit  to  identifiers  (X) 
and  application.  Here,  X  can  be  either  a  bound  variable  or  a  previously  declared 
identifier.  For  conciseness,  we  describe  atomic  types  (i.e.,  objects  of  kind  type) 
as  if  they  were  terms.  Reserved  atomic  types  include  the  type  of  states  (state), 
principals  (princ)  and  messages  (msg).  We  write  {X  :  T}T'  for  a  dependent  type, 
simplifying  this  syntax  into  T  — >  T'  when  X  does  not  occur  free  in  T' .  A  context 
(called  signature  in  li4l5l).  is  a  list  of  declarations  of  term  constants  and  type  fami¬ 
lies.  A  state  is  a  comma-separated  multiset  of  terms  (of  type  state).  We  later  use 
the  comma  for  message  concatenation  as  well,  an  overloading  that  is  disambiguated 
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by  the  surrounding  context.  A  rule  relates  two  states  S  and  S'.  The  latter  can  be 
prefixed  by  a  sequence  of  existential  declarations  (e.g.,  for  creating  nonces),  while 
other  variables  in  the  rule  will  often  be  universally  quantified  at  its  head.  Roles  are 
nonempty  sequences  of  rules  prefixed  by  zero  or  more  existential  predicate  decla¬ 
rations.  We  assume  that  MSR  specifications  satisfy  a  restricted  format,  where  the 
existential  predicates  are  used  to  introduce  local  intermediate  states  for  sequential- 
izing  the  rules  inside  a  role.  A  role  has  a  distinguished  owner  P,  which  can  be 
either  an  arbitrary  principal  in  generic  roles,  or  a  fixed  principal  (e.g.,  a  server)  for 
anchored  roles,  that  are  introduced  by  the  keyword  for  (which  is  not  a  binder). 

MSR’s  actual  syntax,  as  described  in  Il4l5i71  has  other  constructions,  that  we 
either  ignore  for  simplicity  or  leave  out  for  future  work.  In  particular,  we  assume 
that  MSR’s  native  subtyping  is  emulated  by  explicit  coercions,  that  MSR’s  module 
structure  has  been  expanded  into  a  single  sequence  of  declarations,  and  that  all 
typing  information  is  explicit,  while  MSR  allows  pointwise  reconstruction.  Simple 
preprocessing  or  standard  techniques  suffice  to  account  for  these  discrepancies. 
In  this  paper,  we  do  not  treat  other  features  of  MSR,  in  particular  guarded  rules, 
equations,  and  a  syntactic  check  known  as  data  access  specification.  They  will  be 
the  subject  of  future  work. 

We  will  rely  on  the  Otway-Rees  authentication  protocol  lfl2ll  to  illustrate  the 
use  of  MSR.  In  this  protocol,  an  initiator,  A,  wants  to  obtain  a  short-term  secret 
key  kAB  to  communicate  securely  with  a  responder  B.  They  rely  on  a  server  S, 
with  whom  both  share  long-term  secret  keys  Ras  and  kBs  respectively,  to  generate 
this  new  key.  The  “usual  notation”  for  this  protocol  is  as  follows: 

(i)  A-t  B  :  n,  A ,  B,  {nAl  n,  A,  B}kAS 

(ii)  B  ->■  S  :  n,A,B,  { nA ,  n,  A,  B}kAS,  { nB ,  n,  A,  B}kBS 

(iii)  S  -»  B  :  n,  {nA,  kAB}kAS,  {nB,  kAB}kBS 

(iv)  B  ->■  A:  n,  { nA ,  kAB}kAS 

Here,  A  and  B  range  over  arbitrary  principals,  S  is  a  fixed  principal,  the  key  server. 
Moreover,  n,  ua  and  nB  are  nonces,  freshly  generated  values  aimed  at  avoiding  the 
replay  of  old  messages. 

As  mentioned  earlier,  we  assume  appropriate  declarations  of  types  other  than 
princ,  state  and  msg  and  their  elements.  For  this  example,  we  rely  on  the  type 
nonce,  type  families  ltK  and  stK  (for  long-  and  short-term  keys,  respectively), 
and  concatenation  (overloaded  as  the  infix  “,”)  and  encryption  (written  {_}_)  as 
additional  message  constructor.  We  use  the  state  predicate  n  for  representing  mes¬ 
sages  in  transit  on  the  network.  The  superscripts  p,  n  and  k  represent  coercions  from 
principals,  nonces  and  short-term  keys  to  messages,  respectively  and  1  denotes  the 
coercion  from  long-term  keys  to  the  shared  keys  expected  by  the  encryption  func¬ 
tion  (full  MSR  uses  subsorting  instead).  The  complete  MSR  specification  can  be 
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found  in  El-  Here  we  show  only  the  generic  role  for  the  responder  ( B ): 


ROLE  2  :  V B  :  princ  . 

3 L  :  {B  :  princ}princ  — >  nonce  — t  nonce  — t  (ltK  B  S)  — >  state  . 

(VA  :  princ .  Vn  :  nonce .  VkBS  :  (ltK  B  S ) .  VJY  :  msg . 


RULE  21 


RULE  22 


\ 


n  (nn,AP:B?,X)  — y  3 nB  :  nonce . 

n  (n»,  A*,  BP,  X ,  {n%,  n\  A^  B*}^), 

\  (L  B  AnnB  kBS )  ) 

(  MA  princ  .  Vn,  nA  •  nonce  .  \/Y  :  msg  .  \ 

\/kBS  :  (ltK  B  S ) .  \/kAB  :  (stK  4  P) . 
y  n  (nn,  11  {n%,  k%}kiBs),  (LB  AnnB  kBS)  — *  n  (n“,  F) } 


This  role  is  generic  and  has  two  rules  which  are  both  in  the  scope  of  the  quantifiers 
for  B  and  L.  In  contrast,  the  role  for  S  would  be  an  anchored  role,  since  S  is  a  fixed 
principal. 

The  operational  semantics  of  MSR  ll4l5l  uses  transition  judgments  that  trans¬ 
form  configurations  of  the  form  [5]f .  Here  S  is  an  MSR  state,  R  is  an  active  roles 
set  which  collects  the  active  roles ,  i.e.,  instantiated  and  possibly  partially  executed 
roles,  available  at  the  next  step,  and  E  is  an  MSR  dynamic  context  (called  signature 
in  HI),  which  accounts  for  all  the  dynamically  generated  fresh  constants  avail¬ 
able  to  R  in  state  S.  Using  a  slightly  richer  syntax  than  H4l5ll  we  write  an  active 
role  in  the  form  actrole  i  :  for  A  :  princ.  with  N  :  T .  p  (again  for 
and  with  are  no  binders),  meaning  that  it  is  the  instance  of  either  a  generic  role 
role  i  :  VP  :  princ .  3 L  :  T .  p  with  P  instantiated  by  A  and  L  instantiated  by 
N,  or  the  instance  of  an  anchored  role  role  i  :  for  A  :  princ .  3 L  :  T .  p  with 
L  instantiated  by  N. 

In  this  paper  we  initially  rely  on  two  judgment  forms  to  describe  transitions: 
Given  declarations  V  and  roles  V,  the  judgment  f>,?  h  [S]%  — >tA,n  de- 

notes  the  full  instantiation,  i.e.,  instantiation  of  all  outer  universal  and  existential 
quantifiers,  of  the  role  i  {A  and  N  define  the  particular  instantiation).  We  write 
V,V  V-  [S]£  ~^ea  ,2V  ms  to  denote  a  transition  resulting  in  the  application  of  a 
rule  j  from  the  active  role  i  (the  instance  with  A  and  2V),  followed  by  the  removal 
of  the  active  i  if  it  has  been  fully  executed.  If  one  of  these  transitions  can  be  de¬ 
rived  we  simply  write  T>,  V  b  [S]^  — >i.B  .  The  rules  for  a  marginally  more 

abstract  version  of  this  semantics  can  be  found  in  Ha. 


4  Rewriting  Logic  with  Dependent  Types 

The  open  calculus  of  constructions  (OCC),  from  which  we  derive  the  rewriting 
logic  with  dependent  types  (RWLDT)  by  instantiation  and  restriction,  is  a  family 
of  type  theories  that  are  concerned  with  three  classes  of  terms:  elements ,  types  and 
universes.  Types  serve  as  an  abstraction  for  collections  of  elements,  and  universes 


5 


Cervesato  and  Stehr 


as  an  abstraction  for  collections  of  types. 

OCC  is  parameterized  by  OCC  signatures  defining  the  universe  structure.  In 
this  paper  we  use  a  fixed  signature  £  =  (5,  Type, 7 Z1  <)  with  predicative  uni¬ 
verses  S  =  {Type,  Typei,  Type2, . . .  },  which  form  a  cumulative  predicative  hier¬ 
archy.  This  means  that  we  have  Type  :  Typei  :  Type2  . . . ,  a  subtyping  relation 
Type  <  Typei  <  Type2  . . .  (also  called  subuniverse  relation),  and  (s,  s',  s  U  s')  e 
7 Z  for  all  s.  s'  e  S.  where  U  denotes  the  least  upper  bound  w.r.t.  <J3I 

The  formal  system  of  OCC  is  designed  to  make  sense  under  the  propositions- 
as-types  interpretation,  where  propositions  are  interpreted  as  types  and  proofs  are 
interpreted  as  elements  of  these  types.  Since  in  OCC  there  is  no  a  priori  distinction 
between  terms  and  types,  and  furthermore  between  types  and  propositions,  we  use 
all  these  notions  synonymously. 

OCC  has  the  standard  constructs  known  from  pure  type  systems  (cf.  Illll4lll5lf 
and  a  few  additional  ones.  An  OCC  term  can  be  one  of  the  following:  a  universe 
s,  a  variable  X,  a  typed  A -abstraction  [X  :  S]M,  a  dependent  function  type  {A  : 
S}T,  a  type  assertion  M  :  T,  an  e-construct  e  A  to  denote  an  irrelevant  proof 
of  a  proposition  A,  a  propositional  equality  M  =  N,  or  one  of  three  flavors  of 
operational  propositions,  written  as  1 1  A,  !!  A,  or  ??  A.  Here  and  in  following  we 
usually  use  M,  N,  P,  Q,  S,  T,  U,  V,  A,  and  B  to  range  over  OCC  terms,  and 
X,  Y,  Z  to  range  over  names.  Operational  propositions  can  either  be  structural 
propositions  designated  by  ||,  computational  propositions  designated  by  !!,  or  an 
assertional  propositions  designated  by  ??.  Subsequently,  we  use  r  to  range  over 
these  three  flavors  {||, !!,  ??}. 

OCC  contexts  are  lists  of  declarations  of  the  form  X  :  S.  The  empty  context  is 
written  as  [].  Typically,  we  use  T  to  range  over  OCC  contexts. 

An  OCC  specification  is  simply  an  OCC  context  T  in  this  paper.  Such  a  spec¬ 
ification  can  introduce  rewrite  predicates  by  declarations  of  the  form  R  :  {Y  : 
,5'}  \Y'  :  S}  T  — >  Type.  The  idea  is  that  each  rewrite  predicate  can  be  regarded  as  a 
labeled  transition  system,  which  can  be  executed  in  a  very  similar  way  as  rewriting 
logic  specifications.  Note  that  R  :  (F  :  S'}!!"'  :  S}  T  — >  Type  is  the  declaration 
of  a  ternary  predicate  R  where  S  is  the  type  of  states  and  T  is  the  type  of  actions, 
which  could  range  from  atomic  labels  to  rewrite  proofs,  depending  on  the  require¬ 
ments  of  the  application.  In  the  case  where  the  type  T  does  not  depend  on  Y  and 
Y' ,  this  declaration  takes  the  form  R  :  S  —>  S  — >•  T  —>  Type. 

Since  we  are  working  with  a  predicative  instance  of  OCC,  it  is  entirely  straight¬ 
forward  to  define  a  model-theoretic  semantics  based  on  classical  set  theory  with 
suitable  universes  DU-  The  appropriate  level  of  abstraction  for  this  paper  is,  how¬ 
ever,  the  operational  semantics,  which  is  given  by  the  formal  system  of  OCC.  It  is 
a  direct  generalization  of  the  operational  semantics  of  rewriting  logic  [HU  and  its 
membership-equational  sublogic  fl2)  as  implemented  in  Maude  0 . 


3  The  effect  of  this  choice  of  'JZ.  a  standard  parameter  for  pure  type  systems  IQ,  is  that  for  arbitrary 
types  S  :  s  (in  a  context  T)  and  T  :  s'  (in  a  context  T,  X  :  S)  with  s,  s'  €  S  we  can  form  the 
dependent  type  {X  :  S}T  :  s"  (in  T)  for  s"  =  s  U  s'. 
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The  formal  system  of  OCC  defines  derivability  of  OCC  judgments  T  F  J  and 

has  been  shown  to  be  sound  w.r.t.  the  set-theoretic  semantics  d.  For  brevity  we 

only  give  an  informal  explanation  of  all  judgments  and  their  intuitive  operational 

meaning. 

•  The  type  inference  judgment  T  h  M  — K  S  asserts  that  the  term  M  is  an  element 
of  the  inferred  type  S  in  the  context  T.  Operationally,  T  and  M  are  given  and 
S  is  obtained  by  syntax-directed  type  inference  and  possible  reduction  using 
computational  equations  modulo  the  structural  equations  of  T. 

•  The  typing  judgment  T  F  M  :  S  asserts  that  M  is  an  element  of  type  S  in 
the  context  T.  Operationally,  T,  M  and  S  are  given  and  verifying  T  F  M  :  S 
amounts  to  type  checking.  Type  checking  is  always  reduced  to  type  inference 
and  the  verification  of  an  assertional  sub  typing  judgment. 

•  The  structural  equality  judgment  T  F  1 1  (M  =  N )  is  used  to  express  that  M 
and  N  are  considered  to  be  structurally  equal  elements  in  the  context  T.  Oper¬ 
ationally,  structural  equality  is  realized  by  a  suitable  term  representation  so  that 
structurally  equal  terms  cannot  be  distinguished  when  they  participate  in  com¬ 
putations. 

•  The  computational  equality  judgment  T  F  !!  (M  =  N )  is  the  judgment  that 
defines  the  notion  of  reduction  for  the  simplification  of  terms.  The  judgment 
states  that  the  element  M  can  be  reduced  to  the  element  N  in  the  context  T. 
Operationally,  T  and  M  are  given  and  N  is  the  result  of  reducing  M  using  the 
computational  equations  in  T  modulo  the  structural  equations  in  T. 

•  The  assertional  judgment  T  F  ??  A  states  that  A  is  provable  by  means  of  the 
operational  semantics  in  the  context  T.  Operationally,  T  and  A  are  given  and 
the  judgment  is  verified  by  a  combination  of  reduction  using  the  computational 
equations  and  exhaustive  goal-oriented  search  using  the  assertional  propositions 
in  T.  Both  processes  take  place  modulo  the  structural  equations  in  T. 

•  The  assertional  equality  judgment  T  F  ??  ( M  =  N )  states  that  M  and  N  are 
assertionally  equal  in  T,  a  notion  that  treats  equality  as  a  predicate  and  subsumes 
the  structural  and  computational  equality  judgments.  Operationally,  T,  M  and 
N  are  given  and  the  judgment  is  verified  like  other  assertional  judgments  in  a 
goal-oriented  fashion. 

•  The  assertional  subtyping  judgment  T  F  ??  (S  <  T)  subsumes  the  assertional 
equality  judgment  and  states  that  S  is  a  subtype  of  T  in  T  as  a  consequence  of 
the  cumulativity  of  the  universe  hierarchy.  Operationally,  T,  S  and  T  are  given 
and  the  judgment  is  verified  like  other  assertional  judgments  in  a  goal-oriented 
fashion. 

•  The  computational  rewrite  judgment  T  F  !!  (R  M  M'  P )  expresses  that  by 
means  of  the  computational  rewrite  rules  specified  in  T  for  the  rewrite  predicate 
R  the  element  M  can  be  rewritten  to  the  element  M'  and  this  rewrite  is  labeled 
by  the  element  P.  Operationally,  T  and  M  are  given  and  M'  is  computed  by  the 
application  of  a  computational  rewrite  rule  in  T  modulo  the  computational  and 


7 


Cervesato  and  Stehr 


structural  equations  in  T.  In  addition,  an  abstract  witness  P  for  this  rewrite  is 
constructed. 

By  fixing  the  signature  at  the  beginning  of  this  section,  we  have  introduced 
a  particular  instance  of  OCC.  For  the  purpose  of  this  paper  we  further  restrict 
this  instance  by  requiring  that  specifications  use  a  unique  fixed  rewrite  predicate  R 
which  is  declared  as  R  :  S  — >■  S  — >•  T  — >•  Type.  The  idea  is  that  this  ternary  rewrite 
predicate  precisely  corresponds  to  the  labeled  rewrite  relation  of  rewriting  logic.  To 
remind  us  of  this  correspondence  we  refer  to  this  restricted  sublanguage  of  OCC 
in  the  following  as  rewriting  logic  with  dependent  types  (RWLDT)o  Since  R  is 
unique,  we  can  use  the  usual  notation  [P]  :  M  =>-  TV  instead  of  the  less  intuitive 
(r  M  N  P).  Similarly,  we  use  T  F  !!  [P]  :  M  =>  N  to  denote  the  corresponding 
computational  rewrite  judgment. 

5  Mapping  MSR  to  RWLDT 

In  this  section  we  give  a  precise  definition  of  our  mapping  from  MSR  into  RWLDT. 
The  translations  of  kinds,  types,  terms,  and  states  are  very  direct.  The  translation  of 
roles  and  rules  may  appear  somewhat  technical,  but  the  underlying  idea  is  simple. 
To  make  it  better  accessible  to  the  reader  we  introduce  the  mapping  of  roles  and 
rules  in  three  steps:  In  Sections [5. 1H5.3I  we  give  an  initial  mapping  that  is  correct 
in  a  rather  obvious  way,  and  then  we  deal  with  some  deficiencies  of  this  mapping 
in  two  further  steps  in  Sections  15.41  and  15751  The  result  is  a  mapping  which  is  not 
only  correct  but  ensures  executability  of  the  resulting  RWLDT  specification  (in 
the  sense  of  ordinary  rewrite  systems).  It  furthermore  avoids  the  introduction  of 
any  superfluous  intermediate  states  that  would  lead  to  unnecessary  inefficiencies, 
especially  if  we  use  the  result  of  the  translation  for  symbolic  state  space  exploration. 

5.1  Initial  Context 

The  MSR  multiset  union  constructs  will  be  translated  to  an  ordinary  RWLDT  func¬ 
tion  union.  To  this  end,  we  define  initial-context  as  an  OCC  context  that  contains 
the  following  declarations. 

There  are  the  structural  axioms  for  multisets: 

state  :  Type, 
empty  :  state, 

union  :  state  — t  state  — t  state, 

union_comm  :  |  {Tl,  Y  :  state} (  union  XY)  =  (  union  YX), 
union_assoc  :  \]{X,Y,Z  :  state}  (union  (union  X  Y)Z)  = 

(union  x  (  union  YZ)), 
union_id  :  \\{X  :  state}(union  empty  X)  =  X. 

4  Compared  with  O  we  have  omitted  assertional  rewrite  judgments  in  our  presentation  of  OCC, 
because  we  do  not  need  rewrite  conditions  in  this  paper.  Such  conditions  are  admitted  in  RWL  and 
hence  in  the  most  general  version  of  RWLDT. 
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The  initial  context  also  contains  the  following  declarations,  which  we  describe 

only  intuitively.  Their  purpose  will  become  clear  as  we  lay  out  the  translation. 

•  princ  :  Type,  msg  :  Type.  The  types  of  principals  and  messages,  respectively. 

•  t ij  :  princ  —>  T  —)■  state.  For  each  role  i  with  existential  quantifier  types  T 
and  with  a  rule  j,  a  token  (t ij  A  N )  will  be  used  to  represent  the  fact  that  role  i 
has  been  instantiated  with  values  A  and  N. 

•  nat  :  Type,  and  o  :  nat  and  s  :  nat  —t  nat.  Natural  numbers  are  used  to  index 
fresh  symbols,  i.e.,  symbols  that  have  not  been  used  in  the  past. 

•  f  :  nat  —t  state.  As  an  invariant  of  our  representation  there  is  a  unique  (f  N) 
that  holds  the  next  available  fresh  index  N. 

•  V  :  nat  — *  V.  For  each  type  V  which  can  be  generated,  this  function  allows 
us  to  index  (some  of)  its  elements  by  natural  numbers,  a  way  to  generate  fresh 
symbols  of  this  type. 

•  e  :  (T  :  Typ e}T  — >  state.  The  term  (e  T  M )  expresses  the  fact  that  M  is 
an  element  of  type  T,  as  part  of  the  state.  We  will  use  this  predicate  only  in 
Section  15 .41 

•  act  :  Type,  a  i  :  act  for  each  role  i,  and  a  ij  :  act  for  each  of  its  rules  j.  These 
constants  are  used  to  label  the  rewrite  rules  resulting  from  the  translation. 


5.2  Translating  Kinds,  Types,  Terms,  States,  and  Contexts 

For  the  following  we  assume  that  MSR  specifications  do  not  use  names  introduced 
by  initial-context  other  than  state,  princ  and  msg.  We  also  assume  that  all 
declared  and  bound  variables  are  distinct.  This  allows  a  clear  presentation  of  the 
main  ideas  without  worrying  about  renaming  and  capturing.  We  then  define  the 
translation  of  MSR  kinds,  types,  states,  and  contexts  as  follows: 

•  kind(type)  =  Type 

type({ X  :  T}K)  =  {X  :  type(T)}kind(K) 

•  type(X)  =  X 

type(  state)  =  state 
type[  princ)  =  princ 
type{  msg)  =  msg 

type(T  M )  =  ( type(T )  term(M)) 
type({X  :  T}T')  =  {X  :  type{T)}type{T') 

•  term(X)  =  X 

term(M  N )  =  (term(M)  term(N)) 

•  state  (■)  =  empty 

state (S,  S')  =  (union  state  (S)  state  {S' )) 
state  (M)  =  term(M) 

•  context  (•)  =  initial -context 
context(V,X  :  K)  =  context(V)1  X  :  kind(K) 
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context(V,  X  :  T )  =  context(V),X  :  type(T). 

Subsequently,  (union  (Si, . . . ,  Sn))  abbreviates  (union  Si  (union  (S2,  ■  ■  ■ , 
£„))),  and  (union  ())  abbreviates  empty.  We  also  refer  to  this  term  as  the  formal 
multiset  of  Si, . . . ,  Sn. 

The  adequacy  of  this  translation  is  expressed  by  the  following  theorem: 

Theorem  5.1  If  V  is  a  well-typed  MSR  context  then: 

(i)  If  K  is  an  MSR  kind,  then 

V  b  K  kind  in  MSR  iff  context  (V)  b  kind(K)  :  Typei  in  RWLDT. 

(ii)  If  in  addition  V  h  K  kind  and  T  is  an  MSR  type,  then 

V  \ ~  T  :  K  in  MSR  iff  context(T> )  b  type(T)  :  kind(K)  in  RWLDT. 

(iii)  If  in  addition  V  b  T  :  K  and  M  is  an  MSR  term,  then 

V  b  M  :  T  in  MSR  iff  context(V )  b  term(M)  :  type(T)  in  RWLDT. 

(iv)  If  S  is  an  MSR  state,  then 

V  b  S  :  state  in  MSR  iff  context(V )  b  state (S )  :  state  in  RWLDT. 
Furthermore,  V  is  well-typed  iff  context (V)  is  well-typed. 

Proof  Sketch.  First  of  all,  it  is  straightforward  to  verify  that  each  MSR  inference 
rule  [Q  can  be  simulated  by  one  or  more  inference  rules  of  RWLDT  [fl~4l .  As  a 
consequence,  the  direction  of  the  equivalences  (ITIl  lfnl  holds. 

To  deal  with  the  more  interesting  •<=  direction  of  these  equivalences,  we  first 
observe  that  several  features  of  RWLDT  are  not  relevant  for  the  purpose  of  this 
proof.  Our  representation  does  not  exploit  higher  universes  (beyond  Type0)  or  uni¬ 
verse  subtyping  in  any  essential  way  (the  only  use  of  Typei  in  °ur  representation  is 
to  serve  as  a  type  of  kinds).  Both,  computational  equations  and  assertional  proposi¬ 
tions  of  RWLDT  are  not  used.  Structural  equations  are  only  used  to  represent  MSR 
states  (multisets)  and  they  are  used  in  such  a  way  that  they  precisely  represent  the 
MSR  syntax.  The  computational  rewrite  axioms  of  RWLDT  do  not  have  any  im¬ 
pact  on  type  checking,  so  they  can  be  ignored  here.  Another  major  simplification 
is  that  MSR  and  hence  the  representation  in  RWLDT  does  not  use  A-abstractions, 
and  the  type  assertions  and  the  e-operator  of  RWLDT  are  not  used  either.  As  a  con¬ 
sequence,  many  of  the  inference  rules  of  RWLDT  lfT4)  can  be  ignored  or  reduced 
to  trivial  cases,  because  they  cannot  have  been  used  in  the  RWLDT  derivation  or 
have  only  been  used  in  a  trivial  form.  For  instance,  without  A-abstractions  and 
computational  equations  the  computational  equality  reduces  to  structural  equality. 
Without  assertional  propositions,  inference  rules  for  assertional  propositions  other 
than  assertional  equality  and  assertional  subtyping  are  superfluous.  Without  the 
use  of  higher  universes,  assertional  subtyping  coincides  with  assertional  equality 
which  reduces  to  structural  equality  and  o-convcrsion.  Now  it  is  easy  to  verify  the 
4=  direction  of  (CT)-([T\~1)  by  simulating  each  inference  rule  of  the  simplified  RWLDT 
using  inference  rules  of  MSR  0.  A  slight  remaining  difficulty  is  to  overcome  the 
gap  between  implicit  cu-conversion  in  MSR  and  explicit  ct-conversion  in  RWLDT 
(including  its  more  general  notion  of  context),  but  the  proof  techniques  for  pure 
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type  systems  used  in  [il5l  can  be  easily  adapted  to  our  simple  setting. 

Finally,  the  proof  that  V  is  well-typed  iff  context  (V)  is  well-typed,  can  be  done 
by  induction  over  the  length  of  V  using  the  previous  statements.  □ 

It  is  important  to  note  that  this  theorem  does  not  imply  that  each  well-typed 
RWLDT  term  in  the  context  context  (V)  is  a  representation  of  an  MSR  term,  type, 
or  kind.  For  instance,  a  counterpart  of  the  RWLDT  type  Type  —y  Type  :  Typex  does 
not  exists  in  MSR.  Similarly,  we  could  use  A-abstractions  and  other  constructs  in 
RWLDT,  but  they  do  not  have  counterparts  in  MSR.  In  fact,  the  restricted  syntax  of 
MSR  and  our  representation  carves  out  a  sublanguage  of  RWLDT,  and  only  terms 
in  this  sublanguage  are  used  inside  the  operational  semantics.  The  specification 
itself,  however,  requires  constructs  such  as  structural  equations  and  computational 
rewrite  axioms,  which  are  outside  of  this  sublanguage. 


5.3  Translating  Roles  and  Rules 

To  further  simplify  the  presentation,  we  assume  that  the  identifier  of  the  i- th  role  is 
%  and  the  identifier  of  its  y -th  rule  is  j.  We  then  define  the  translation  of  MSR  roles 
and  rules  as  follows  (using  V  and  V  to  range  over  role  sequences): 

•  roles  (•)  =  []. 

roles  (role  i  for  A  :  princ  .  3  L:T.p)  = 
r i  :  role(i ,  A,  3 L  :  T .  p). 
roles  (role  i  :  VP  :  princ.  3  L:T.p)  = 
r  i  :  {P  :  princ }ro/e(z,  P.  3 L  :  T .  p ). 
roles( V,V)  =  roles (V),  roles (V). 

•  role(i,  P,3L  :  T .  pn )  = 

{Z,  Z'  :  nat}{L  :  fype(T)}/res/z(Z,  L,T,  Z')  -> 

[az]  ;  (f  Z)  =>  (union  ((tzI  P  L), . . . ,  {iin  P  L )  (f  Z'))), 
rule(i ,  P,  L,  T,  p ?), . . . ,  rule(i ,  P,  L,  T,  p£). 

•  rule  (z,  P,  L,  T,  rule  j  :VX  :U.  M  — y  3Y  :  V  .  N)  = 

Rij  :  {P  :  princ}{^,  Z'  :  nat  }{L  :  type(T)} 

{ X  :  type(U)}{Y  :  type(V)}fresh(Z,  Y,  V,  Z') 

[azj]  :  (union  {{rij  P  L ),  (f  Z),  state(M ))) 

(union  ((state(N),  (f  Z')))). 

•  fresh(Z,  Y\  Vy,  Z')  = 

Y\=vl(z)\  yz=vv2{s(z)),  . . . ,  Yi=vyy(sy-\Z)),  z'=sy(z). 

In  the  last  equation  we  assume  that  for  type  V  there  is  an  injection  with  the  same 
name  V  :  nat  — y  V,  a  declaration  that  needs  to  be  included  in  initial-context. 

Above  we  use  A1} . . . ,  An  —y  B  to  abbreviate  Ax  — y  . . .  —y  An  —y  B,  which 
here  means  that  Ai, . . . ,  An  are  conditions.  It  should  also  be  noted,  however,  that 
the  use  of  conditions  here  is  not  essential,  because  they  are  all  of  the  form  Y =Q 
and  hence  can  trivially  be  eliminated.  We  only  use  conditions  for  better  readability 
and  to  maintain  a  more  direct  correspondence  to  the  MSR  syntax. 
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The  idea  behind  the  definition  of  role  is  that  it  maps  each  MSR  role  i  to  several 
RWLDT  rewrite  axioms:  There  is  one  rewrite  axiom  labelled  a i,  representing  the 
instantiation  of  this  role.  In  addition,  there  is  one  rewrite  axiom  labelled  a ij  (gener¬ 
ated  by  rule )  for  each  of  its  rules  j.  The  first  axiom  a i,  apart  from  the  generation  of 
fresh  terms  needed  for  the  new  instance,  generates  tokens  (t(1  PL), ,  (x  inP  L), 
representing  the  fact  that  none  of  the  rules  of  this  role  have  been  executed  yet.  Each 
of  the  remaining  axioms  a  ij  simulates  the  corresponding  MSR  rule  j ,  so  that  each 
application  of  a  rule  removes  its  corresponding  token.  This  realizes  the  MSR  policy 
that  rules  of  active  roles  can  only  be  executed  once. 

The  following  lemma  expresses  that  the  generation  of  fresh  symbols  is  correctly 
represented  in  RWLDT. 

Lemma  5.2  (Freshness  Invariance)  Let  (V,  V)  be  an  MSR  specification.  The 
representation  in  RWLDT  maintains  the  following  invariant:  If  there  is  a  term  of 
the  form  (f  (sno))  in  the  RWLDT  state  and  no  other  occurrence  of  f  then  for  each 
k  (including  0)  the  term  (s"+fco),  and  consequently  V(s"+A:o),  is  fresh,  i.e.,  it  does 
not  occur  in  any  other  part  of  the  state. 

Proof  Sketch.  Can  be  directly  verified  as  an  inductive  invariant  for  each  of  the 
RWLDT  rewrite  axioms  in  our  representation,  using  our  earlier  assumption  on  the 
initial  context  that  o  and  s  are  not  used  in  the  MSR  specification.  □ 

To  express  the  relationship  between  MSR  and  its  representation  we  also  need  a 
representation  of  dynamic  entities  such  as  active  roles: 

•  actroles (j  =  empty. 

actroles (actrole  i  :  for  A  :  princ  .  with  N  :  T .  p)  = 

the  formal  multiset  of  all  (rij  A  N)  s.t.  p  contains  rule  j. 
actroles(R,  R ')  =  (union  actroles(R)  actroles (R1)), 
where  R  and  R!  range  over  active  role  sets. 

Recall  that  actrole  i  :  for  A  :  princ  .  with  N  :  T .  p  is  the  form  of  an  ac¬ 
tive  role,  i.e.,  one  that  has  been  (fully)  instantiated  and  possibly  partially  executed. 
The  fact  that  the  active  role  set  contains  an  active  role  of  this  form  corresponds  to 
the  fact  that  for  each  rule  j  of  the  active  role  (i.e.,  a  rule  that  has  not  been  executed 
yet)  the  term  (t ij  A  N )  is  part  of  the  distributed  state  in  the  representation. 

The  subsequent  theorem  justifies  the  use  of  representations  of  MSR  configura¬ 
tions  of  a  particular  form  in  all  the  remaining  theorems. 

Theorem  5.3  (Representation  Invariance)  Let  (V.  V)  be  an  MSR  specification. 
If  context  (V),  roles  (V)  h  !!  [P]  :  M  =>  M’  and  M  is  a  representation  of  an 
MSR  configuration,  i.e.,  of  the  form  (union  ((f  (sn  o)),  state(S),  actroles(R))) 
for  some  n,  some  MSR  state  S,  and  some  MSR  active  role  set  R,  then  M1  is  a 
representation  of  an  MSR  configuration  as  well. 

Proof  Sketch.  Again  this  is  an  inductive  invariant  that  obviously  holds  for  each  of 
the  RWLDT  rewrite  axioms  in  our  representation.  □ 

Lor  the  proof  of  the  main  theorem,  we  need  the  following  lemma. 
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Lemma  5.4  (Representation  Uniqueness)  Let  ( V ,  V)  be  an  MSR  specification. 
Then  each  MSR  active  role  set  R  reachable  in  the  operational  semantics  of  MSR 
can  be  uniquely  reconstructed  from  its  representation  actroles(R). 

Proof  Sketch.  Observe  that  active  role  sets  can  contain  only  elements  that  can 
actually  be  obtained  by  (full)  instantiation  of  known  roles  followed  by  removal  of 
some  of  its  rules  (after  they  are  executed).  We  need  to  consider  two  cases: 

(i)  If  there  is  at  least  one  token  (left)  that  represents  the  active  role,  then  this  to¬ 
ken  carries  the  full  information,  namely  i.  A,  and  N ,  to  determine  the  initial 
role  instance.  Unfortunately,  we  need  to  argue  that  together  all  tokens  of  the 
form  (t ij  A  N )  uniquely  determine  the  rules  of  this  active  role,  i.e.,  the  rules 
that  still  need  to  be  executed.  The  only  potential  source  of  confusion  is  that 
the  representation  may  contain  several  instances  of  the  same  active  role  i  ex¬ 
ecuting  concurrently  with  the  same  values  A  and  N.  Since  N  is  generated 
fresh  the  confusion  can  only  occur  if  N  is  the  empty  list,  i.e.,  when  the  role 
does  not  have  any  existential  quantifiers.  Because  of  the  restricted  format  of 
MSR  specifications  (existential  predicates  are  used  to  sequentialize  the  rules 
inside  a  role)  this  means  that  the  role  can  only  have  a  single  rule,  and  hence  it 
can  be  in  only  one  state,  namely  the  state  after  it  has  been  instantiated  but  not 
executed. 

(ii)  In  case  there  is  no  token  (left)  that  represents  the  active  role,  the  role  must  have 

been  fully  executed,  and  hence  by  definition  of  our  operational  semantics  for 
MSR  it  cannot  be  part  of  the  active  role  set.  Hence,  again  its  contribution  to 
the  active  role  set  is  uniquely  determined.  □ 

Lemma  5.5  Let  (V,  V)  be  an  MSR  specification,  let  S,  S'  be  MSR  states,  and  let 
R,  R'  be  MSR  active  roles  sets.  Then  for  all  n,  k  we  have  the  following  equiva¬ 
lences: 

There  are  MSR  contexts  TA ,  T,'n+k  s.t.  V,V  \~  — >tA,n  iff 

context(V ),  roles(V)  F  !!  [a*]  :  (union  ((f  (sn  0 )),  state(S),  actroles(R)))  => 

(union  ((f  (sn+k  o)),  state  (S'),  actroles(R'))), 
There  are  MSR  contexts  £n,  Y,'n+k  s.t.  V,  V  h  [S]£  — >fa,n  [S"]f/  iff 

context (V),  roles(V )  F  !!  [a ij]  :  (union  ((f  (sn  o )),  state(S),  actroles(R)))  => 

(union  ((f  (sn+k  o)),  state  (S' ),  actroles(R' ))). 

In  both  statements  we  identify  terms  that  are  structurally  equal  in  context  (V). 

Proof  Sketch.  First,  an  observation  that  simplifies  the  proof  of  both  statements  of 
the  lemma:  We  can  verify  using  the  previous  lemma  that 

(union  ((f  (sno)),  state (S ),  actroles(R ))) 

can  only  represent  the  MSR  state  S,  the  MSR  active  role  set  R.  and  hence  only  an 
MSR  configuration  [S]%  for  some  dynamic  context  E.  Similarly, 

(union((F  (sn+k  o)),  state  (S'),  actroles(R'))) 
can  only  represent  a  configuration  [S']^,  again  for  some  dynamic  context  £'. 
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To  prove  the  first  equivalence  of  the  lemma,  note  that  the  left-hand  side  ex¬ 
presses  that  role  %  is  instantiated  for  some  principal  A  (if  it  is  generic,  otherwise 
A  is  already  fixed),  the  existential  quantifiers  are  instantiated  with  fresh  symbols, 
and  the  corresponding  role  instance  is  added  to  the  active  role  set.  According  to  the 
change  in  the  MSR  dynamic  context  on  the  left-hand  side  (En  becomes  E'n+k)  k 
fresh  symbols  are  generated,  which  means  that  the  role  has  k  existential  quantifiers. 
We  need  to  verify  that  this  step  in  the  operational  semantics  of  MSR  is  equivalent 
to  the  right-hand  side,  i.e.,  to  the  application  of  the  rewrite  axiom  labeled  a i  (see 
definition  of  role )  in  RWLDT.  Using  the  freshness  invariance  lemma  is  it  easy  to 
see  that  the  existential  quantifiers  of  role  i  are  correctly  instantiated  using  k  fresh 
terms  N  which  are  generated  in  this  process.  Apart  from  maintaining  the  freshness 
information,  the  only  effect  of  the  rule  is  that  the  terms  (Til  A  N), . . . ,  (Tin  A  N) 
are  added  to  the  RWLDT  state.  This  can  only  correspond  to  the  addition  of  a  new 
instance  of  role  i  to  the  active  role  set. 

For  the  second  equivalence  of  the  lemma,  note  that  the  left-hand  side  expresses 
that  an  instance  of  role  i  is  selected  from  the  active  role  set  and  its  rule  j,  which  is 
of  the  form  rule  j  :  VX  :  U .  M  — >  3Y  :  V .  N,  is  executed.  According  to 
the  change  in  the  dynamic  MSR  context  on  the  left-hand  side  (En  becomes  E'n+k) 
k  fresh  symbols  are  generated,  which  means  that  the  rule  has  k  existential  quanti¬ 
fiers.  We  again  need  to  verify  that  this  step  in  the  operational  semantics  of  MSR  is 
equivalent  to  the  right-hand  side,  i.e.,  the  application  of  the  rewrite  axiom  labeled 
a ij  (see  definition  of  rule )  in  RWLDT.  Using  the  freshness  lemma  it  is  easy  to 
see  that  the  existential  quantifiers  of  rule  j  are  correctly  instantiated  using  k  fresh 
terms.  Apart  from  maintaining  the  freshness  information,  the  rule  has  two  effects: 
It  replaces  the  term  state  (M1)  by  state  (N')  (the  terms  M'  and  'N'  are  instances 
of  M  and  N,  respectively),  a  step  precisely  corresponding  to  the  execution  of  the 
MSR  rule,  and  it  removes  the  token  (jij  A  N),  which  can  only  correspond  to  the 
fact  that  the  rule  is  removed  from  the  active  role,  because  it  has  been  executed. 

Obviously,  for  both  equivalences  the  detailed  proof  would  establish  a  bijection 
between  the  fresh  symbols  generated  by  MSR  and  the  fresh  terms  generated  in 
RWLDT.  □ 

The  following  theorem  summarizes  the  statements  of  the  previous  lemma: 

Theorem  5.6  (Soundness  and  Completeness)  Let  (V,  V)  be  an  MSR  specifica¬ 
tion,  let  S,  S'  be  MSR  states,  and  let  R,  R'  be  MSR  active  roles  sets.  Then  for  all 
n,  k  we  have  the  following  equivalence: 

There  are  MSR  contexts  j]n,S,n+A:  s.t.  V^V  \~  [5]^  — >i.e  [S1]^*  iff 

there  exists  P  s.t.  context (V),  roles(V )  F 

!!  [P]  ■■  (  union  ((f  (sn  o state (S) ,  actroles^R)))  => 

(union  ((f  (sn+fe  o)),  state(S'),  actroles(R' ))), 
where  we  identify  terms  that  are  structurally  equal  in  context  (V). 
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5.4  Achieving  Executability 

Unfortunately,  the  resulting  RWLDT  specification  is  not  necessarily  executable  in 
the  ordinary  sense  of  rewriting,  since  there  may  be  rules  with  variables  on  the  right- 
hand  side  that  do  not  appear  on  the  left-hand  side  and  hence  cannot  be  bound  by 
matching.  Therefore,  we  apply  another  simple  transformation  which  makes  certain 
types  and  their  elements  explicit  in  the  state  by  making  use  of  the  predicate  e  :  {T  : 
TypejT  — >  state.  This  leads  to  the  following  modifications: 

•  role(i,  P,3L  :  T .  pn )  = 

{Z,  Z'  :  nat}{L  :  type  (T)}  fresh  (Z ,  L,  T,  Z’)  ->• 

[Ai\  :  (union((E  princ  P),(FZ))^ 

(union((E  princ  P),(TilPL),...,(TinPL),(F  Z '))) 
rule(i,P,L,T,  p?),  ...,  rule(i,P,  L,T,  p™). 

•  rule  (i,  P,  L,  T ,  rule  j  :  VX  :  U  .  M  — >  3Y  :  V  .  N)  = 

R ij  ■  {P  :  princ}{^,  Z1  :  nat  }{L:  type (Tij)} 

{X  :  type(U)}{Y  :  type  (V)}  fresh  (Z,  Y,  V,  Z') 

[a?j]  :  (union  (ES,  (t ij  P  L ),  (f  Z),  state(M )))  =£- 
(union  (ES,  state  (N),  (f  Z'))) 

where  ES  is  a  formal  multiset  containing  (e  C/f  . . . ,  (e  Uxx  Xx). 

The  theorem  is  as  before  except  for  that  we  have  to  provide  a  sufficient  amount 
of  explicit  typing  information  (see  ES  below)  to  perform  a  simulation  step: 

Theorem  5.7  (Soundness  and  Completeness)  Let  (V.  V)  be  an  MSR  specifica¬ 
tion,  let  S,  S'  be  MSR  states,  and  let  R,  R'  be  MSR  active  roles  sets.  Then  for  all 
n,  k  we  have  the  following  equivalence: 

There  are  MSR  contexts  En,  Z,n+k  s.t.  V,  V  h  [S]%  — >i,E  [5']g  iff 

there  exists  P,  ES  s.t.  context (V),  roles (V)  h 

!!  [P]  :  (union  (ES,  (f  (s^o))),  state(S),  actroles(R)))  => 

(union  (ES,  (f  (sn+k  o)),  state(S'),  actroles(R'))) 
where  we  identify  terms  that  are  structurally  equal  in  context  (V),  and  ES  is  a 
formal  multiset  containing  (e  U  Q )  only  for  terms  Q  of  type  U. 

Proof  Sketch.  The  only  modification  to  our  previous  representation  (Section  15.31) 
is  that  we  have  added  terms  of  the  form  (e  U  Q )  to  the  rewrite  axioms,  such  that  as 
an  obvious  invariant  these  terms  are  preserved  by  applications  of  rewrite  axioms. 
These  terms  cannot  be  confused  or  interact  with  any  of  the  terms  representing  the 
MSR  configuration,  so  that  the  original  behavior  is  preserved  (disregarding  the 
newly  introduced  terms),  assuming  that  the  applicability  of  rewrite  axioms  is  not 
compromised.  To  guarantee  the  latter,  the  theorem  has  been  relaxed  w.r.t.  the  previ¬ 
ous  one  (Scctionl5.3l)  by  adding  the  formal  multiset  ES  to  the  state  on  the  left-hand 
side  of  the  rewrite  judgment  (and  since  ES  is  preserved  it  is  added  on  the  right- 
hand  side  as  well).  Since  ES  is  existentially  quantified  it  can  be  instantiated  by  any 
sufficient  number  of  terms  compensating  for  the  (e  U  Q )  that  are  now  needed  to 
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apply  the  rewrite  axioms.  □ 

As  a  slight  optimization,  the  term  (e  princ  i)  in  the  translation  above  can  be 
dropped  in  the  rewrite  axiom  Ai  if  it  is  the  translation  of  an  anchored  rule,  because  in 
this  case  A  is  a  constant  declared  in  V  and  not  a  variable  that  needs  to  be  determined 
by  matching.  Furthermore,  (e  U'-  X:’-)  can  be  dropped  from  ES  in  the  translation 
if  Xx  occurs  in  M,  because  in  this  case  it  can  be  bound  by  matching. 


5.5  Eliminating  Intermediate  States 

A  drawback  of  the  operational  semantics  of  MSR  defined  in  terms  of  the  transition 
judgment  V,  V  h  [S]g  — >IjE  [S']£  and  our  representation  above  is  that  role  in¬ 
stantiation  can  occur  anytime  and  arbitrarily  often  even  if  there  is  no  subsequent  use 
of  the  role.  This  is  an  unnecessary  source  of  nondeterminism  and  nontermination 
and  without  any  other  means  to  control  the  execution  it  would  prevent  symbolic 
execution  and  analysis. 

By  considering  a  slightly  more  abstract  semantics  that  composes  role  instantia¬ 
tion  with  the  execution  of  a  rule  of  this  role,  we  can  eliminate  such  superfluous  in¬ 
termediate  states.  For  the  modified  operational  semantics  of  MSR  we  write  V,V  \~ 
[s]2  —nn*  [s"]g:  iff  there  exists  a  role  i  with  a  rule  j  (and  A,  N)  s.t. 

•  V,V  F  [S]g  — V."  [5']#'  andP,P  h  [S']g  —^ea,n  [S'%  or 

•  v,vt-  [s]g  — [s"]g:. 

Our  representation  will  be  modified  correspondingly  as  follows: 

•  role(i,  P,  3L  :  T .  pn )  = 

rule^i,  n,  P,  L,  pf),rule2(i,  n,  P,  L,  pi), . . . , 
rule^i,  n,  P,  L,  pl),rule2(i,  n,  P,  L,  pi). 

•  rulei(i ,  n,  P,  L,  T,  rule  j  :  VX  :  U  .  M  — »  3Y  :  V  .  N)  = 

Rijl  :  {P  :  princ}{ij,  Z\  Z"  :  nat}{P  :  type(T)\ 

{X  :  type(U)}{Y  :  type(V)} 
fresh(Z,  L,  T,  Z'),fresh(Z',  Y,  V,  Z”)  -> 

[Aijl]  :  (union  ((e  princ  P),  ES,  (f  Z),  stdte(M))) 

(union  ((e  princ  P),  ES,  state(N),TS,  (f  Z"))) 
where  TS  is  the  formal  multiset  containing 
(Til  PL)  ...  (t  in  P  L)  with  (t  ij  P  L)  removed. 

•  rule2{i ,  n,  P,  L ,  T,  rule  j  :VX  :U.M  — ►  3Y  :  V  .  N)  = 

Rij2  :  {P  :  princ}{^,  Z1 ,  Z"  :  nat}{P  :  type(T)y 
{X  :  type(U)}{Y  :  type{V)}fresh{Z,  Y ,  V,  Z')  -> 

Nj  2]  !  union  (ES,  (t ij  P  L),  (f  Z),  state(M))  =$■ 
union  (ES,  state(N),  (f  Z')) 

The  idea  behind  these  definitions  is  that  the  rewrite  axiom  labelled  Rijl  generated 
by  rule i  simulates  the  effect  of  instantiating  role  i  immediated  followed  by  the  ex¬ 
ecution  of  one  of  its  roles,  which  is  j  in  this  case.  As  a  consequence  it  generates 
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the  formal  multiset  of  tokens  (ril  PL)  ...  (t  in  P  L )  with  (t  ij  P  L )  removed, 
because  the  corresponding  rule  has  already  been  executed.  The  rewrite  axiom  la¬ 
belled  Rij2  generated  by  rule 2  takes  care  of  the  execution  of  remaining  rules,  and 
hence  remains  unchanged  compared  with  the  previous  section. 

Now  we  obtain  a  result  entirely  analogous  to  the  previous  theorem: 

Theorem  5.8  (Soundness  and  Completeness)  Let  (V,  V)  be  an  MSR  specifica¬ 
tion,  let  S,  S'  be  MSR  states,  and  let  R,  R'  be  MSR  active  roles  sets.  Then  for  all 
n,  k  we  have  the  following  equivalence: 

There  are  MSR  contexts  En,  X'n+k  s.t.  V,VY~  [S]g  — >{I)E  [S'}$  iff 

there  exists  P,  ES  s.t.  context (V),  roles (V)  h 

!!  [ P ]  :  (union  (ES,  (f  (s”o)),  state(S),  actroles(R)))  => 

(union  (ES,  (f  (sn+/c  o)),  state  (S'),  actroles(R'))), 
where  we  identify  terms  that  are  structurally  equal  in  context  (V),  and  ES  is  a 
formal  multiset  containing  (e  U  Q )  only  for  terms  Q  of  type  U. 


Proof  Sketch.  The  only  difference  w.r.t.  the  previous  theorem  is  that  we  use  the 
new  judgment  V,  V  F  [S]g  — >{I)E  [S"]g,'  as  the  operational  semantics  of  MSR. 
By  definition  there  are  two  cases  to  consider: 


(i)  There  is  a  role  i  with  a  rule  j  such  that 

V,VY-  [S]g  y jA,n  [S']g;  mdV,V  h  [S'] 


'Ey 


[S‘ 


//]  R 

S" 


Observe  that  we  are  concerned  with  a  sequential  composition  of  the  judgments 
that  we  represented  in  our  previous  representation  (Section  15.41).  Omitting 
quantifiers  and  conditions  for  clarity,  the  first  judgment  was  represented  by 
the  rewrite  axiom 

H  :  (union((E  princ  P),(f  Z))=*. 

(union((E  princ  P),  (Til  PL),...,  (t  in  P  L),  (f  Z'))), 
and  the  second  judgment  was  represented  by  the  rewrite  axiom 
[Ay]  :  (union  (ES,  (t ij  P  L),  (f  Z'),  state (M)))  => 

(union  (ES,  state(N),  (f  Z"))). 

Consequently,  our  new  representation  (see  definition  of  rule  1)  uses  the  se¬ 
quential  composition  of  these  two: 

[aT/I]  :  (union  ((e  princ  P),  (f  Z),  ES,  state(M)))  =$■ 

(union  ((e  princ  P),TS,  ES,  state(N),TS,  (f  Z"))), 
where  TS  is  the  formal  multiset  containing  (ril  PL)  ...  (t  in  P  L)  with 
(t ij  P  L)  removed. 

(ii)  There  is  a  role  i  with  a  rule  j  such  that  V,V  \~  [S]|(  — >fa,n  [S”]^,', . 

For  this  case,  we  just  need  to  simulate  the  execution  of  a  rule.  Hence,  the 
rewrite  axiom  (see  definition  of  rtt(e2)  is  as  in  the  previous  representation: 
[Ay  2]  !  union  (ES,  (t ij  P  L),  (f  Z),  state(M))  => 
union  (ES,  state(N),  (f  Z')). 

□ 


As  an  optimization,  the  rewrite  axiom  Rijl  can  be  omitted  if  M  contains  any 
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of  the  variables  in  L.  The  reason  is  that  we  have  the  invariant  (for  the  reachable 
states  we  are  concerned  with  in  the  theorem)  that  the  variables  L  are  instantiated 
by  objects  which  do  not  exist  in  the  state,  so  that  this  axiom  could  never  be  applied. 

Another  obvious  optimization  is  to  omit  the  rewrite  axiom  r ij  when  the  role  i 
contains  only  a  single  rule.  This  optimization  relies  on  the  fact  that  in  this  case  t ij 
can  never  appear  in  the  state,  an  invariant  that  holds  for  the  reachable  states  we  are 
concerned  with  in  the  theorem.  More  generally,  we  drop  any  rule  that  depends  on 
a  t ij  that  is  never  generated.  This  can  happen,  because  the  only  rule  that  generates 
t ij  has  been  eliminated  by  previous  optimizations. 


6  Translation  in  our  Example 

Returning  to  the  Otway-Rees  protocol  and  its  specification  in  MSR,  we  now  illus¬ 
trate  how  its  responder  role  (role  number  2)  is  translated  into  RWLDT.  For  brevity, 
we  omit  all  declarations,  except  the  ones  for  the  network  predicate,  message  con¬ 
catenation  (denoted  _  in  MSR),  and  the  encryption  function,  (which  was  written 
as  {_}.  in  MSR): 

N  :  msg  ->  state 

append  :  msg  ->  msg  ->  msg 

encrypt  :  {A,B  :  princ}  msg  ->  (shK  A  B)  ->  msg 

As  for  union,  we  write  (append  to  abbreviate  (append  Mi 

(append  (M2,  .  .  .  ,  Mn))). 

We  have  the  following  coercions  (to  which  we  have  given  longer  names  here): 

nonce-msg  :  nonce  ->  msg 
princ-msg  :  princ  ->  msg 

ltK-shK  :  {A,B  :  princ}  (ltK  A  B)  ->  (shK  A  B) 
stK-shK  :  {A,B  :  princ}  (stK  A  B)  ->  (shK  A  B) 

We  also  declare  the  following  injections  as  required  by  the  translation  to  gener¬ 
ate  fresh  symbols  of  the  target  type: 

NONCE  :  nat  ->  nonce 

L2  :  nat  ->  ({B  :  princ}  princ  -> 

nonce  ->  nonce  ->  (ltK  B  S)  ->  state) 

Finally,  we  declare  token  constructors  relevant  for  the  responder  role: 

T21  :  princ  ->  ( { B  :  princ}  princ  -> 

nonce  ->  nonce  ->  (ltK  B  S)  ->  state)  ->  state  . 
T22  :  princ  ->  ( { B  :  princ}  princ  -> 

nonce  ->  nonce  ->  (ltK  B  S)  ->  state)  ->  state  . 

The  translation  of  the  responder  role  produces  four  rewrite  rules,  but  two  of 
them  can  be  eliminated  by  our  optimizations: 

R211  :  ! !  {B:princ} 

{L:{B:princ}  princ  ->  nonce  ->  nonce  ->  (ltK  B  S)  ->  state} 
{A:princ}{kBS: (ltK  B  S) }{X:msg} 

{ fresh, fresh' : nat } { n, nB : nonce } 
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(L  :=  (L2  fresh))  -> 

(nB  :=  (NONCE  (sue  fresh)))  -> 

(fresh'  :=  (sue  fresh))  -> 

[A211 ]  :  (union  ( (E  (ltK  B  S)  kBS),  (F  fresh), 

(N  (append  ( (nonce-msg  n)  , 

(princ-msg  A) , 

(princ-msg  B) , 

X) ) )  )  ) 

=>  (union  ( (E  (ltK  B  S)  kBS) ,  (F  fresh'  )  , 

(N  (append  (n,A,B,X, 

(encrypt  (append  ( (nonce-msg  nB)  , 

(nonce-msg  n) , 

(princ-msg  A) , 

(princ-msg  B) ) ) 

(ltK-shK  B  S  kBS) ) ) ) ) , 

(L  B  A  n  nB  kBS) , 

(T22  B  L) ) ) 

R222  :  ! !  {B:princ} 

{L:{B:princ}  princ  ->  nonce  ->  nonce  ->  (ltK  B  S)  ->  state} 
{A:princ}{kBS:(ltK  B  S)}{ kAB : (stK  A  B) } { Y :msg } { n, nB : nonce } 

[A222]  :  (union  ( (N  (append  ((nonce-msg  n),Y, 

(encrypt  (append  ( (nonce-msg  nB)  , 

(stK-msg  A  B  kAB) ) ) 
(ltK-shK  B  S  kBS) ) ) ) ) , 

(L  B  A  n  nB  kBS)  , 

(T22  B  L) ) ) 

=>  (N  (append  ((nonce-msg  n),Y))) 

The  justification  for  eliminating  r221  is  that  it  contains  (L  B  A  n  nB  kBS) 
with  L  fresh  on  its  left-hand  side.  Since  r212  depends  on  (T21  B  L) ,  which 
could  only  be  generated  by  r221,  this  rule  can  be  dropped  as  well. 

The  full  RWLDT  specification  successfully  passes  the  OCC  type  checker,  which 
implies  that  the  original  MSR  specification  is  type-correct  as  well.  The  OCC  pro¬ 
totype  can  further  be  used  to  explore  the  dynamics  of  the  protocol.  For  example,  to 
restrict  the  protocol  execution  to  one  instance  of  each  role  and  to  observe  termina¬ 
tion  we  add  start?  and  terminated?  tokens  to  respectively  the  first  and  last  rules 
of  each  role  ?. 

A:princ  .  B:princ  .  kAS : (ltK  A  S)  .  kBS: (ltK  B  S)  . 

rew  (union  ( (F  0) , (E  P  A) , (E  P  B) , 

(E  (ltK  A  S)  kAS)  ,  (E  (ltK  B  S)  kBS)  , 

( START 1  A),  ( START 2  B) ,  ( START 3  S)))  . 

trace : 

Alll  A211  A311  A222  A122 
result : 

(union  ( (F  6) , (E  P  A) , (E  P  B) , 

(E  (ltK  A  S)  kAS) , (E  (ltK  B  S)  kBS) , 

(TERMINATED!  A) ,  (TERMINATED 2  B) ,  (TERMINATED3  S) ) ) 
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After  starting  the  symbolic  execution  the  system  performs  a  series  of  actions  each 
corresponding  to  the  application  of  a  rule.  Finally,  the  terminating  state  is  reached, 
the  explicit  type  information  is  preserved,  and  six  fresh  constants  have  been  used. 
An  exploration  of  the  state  space  using  Maude  shows  that  the  above  execution  is 
the  only  possible  one  from  the  given  initial  state. 

7  Final  Remarks 

In  this  paper  we  have  presented  a  shallow  and  hence  efficient  embedding  from  MSR 
into  rewriting  logic  with  dependent  types  (RWLDT),  which  has  been  introduced  as 
a  restricted  instance  of  the  open  calculus  of  constructions  (OCC).  This  mapping 
forms  the  basis  for  an  ongoing  implementation  of  an  MSR  execution  and  analysis 
environment.  A  mapping  from  RWLDT  into  RWL  has  already  been  implemented 
as  part  of  the  OCC  prototype  in  Maude.  This  enabled  us  to  perform  symbolic 
execution  of  the  translated  MSR  specification  in  our  example.  The  user  interaction 
takes  place  at  the  level  of  RWLDT  terms,  which  directly  correspond  to  MSR  terms, 
and  hence  the  user  does  not  need  to  be  concerned  with  the  resulting  translation  into 
RWL.  A  similar  interface  for  symbolic  search  and  model  checking  would  be  easy 
to  implement.  At  the  moment,  we  can  however  already  export  the  RWL  translation 
of  the  RWLDT  specification  and  perform  symbolic  search  and  model  checking  at 
the  level  of  Maude. 

For  the  sake  of  clarity  we  made  a  number  of  simplifying  assumptions  in  this 
paper.  We  decoupled  the  issue  of  inferring  implicit  parts  of  an  MSR  specification 
from  the  actual  translation  phase,  which  is  exactly  the  way  we  would  like  to  or¬ 
ganize  the  architecture  of  the  translator.  We  also  assumed  the  absence  of  name 
clashes,  an  assumption  that  is  not  necessary  if  we  use  the  CINNI  explicit  substitu¬ 
tion  calculus  mm  and  its  term  representation.  In  fact  the  theory  and  prototype 
for  OCC  are  already  based  on  this  calculus. 

An  additional  feature  of  MSR  that  may  require  changes  to  our  representation 
are  constraints,  i.e.,  conditions  attached  to  MSR  rules.  Constraints  do  not  appear 
in  H4I5I-  but  have  proved  useful,  for  instance,  in  the  Kerberos  analysis  [|3].  Among 
the  options  are  the  direct  translation  into  conditional  rules  of  RWLDT,  the  extension 
of  the  linear  state  by  a  non-linear  counterpart  (as  in  standard  sequent  presentations 
of  linear  logic)  and  its  use  to  verify  the  constraints,  or  a  combination  of  these  two 
possibilities.  Equations  are  a  recent  addition  to  MSR,  inspired  by  this  collaboration. 
They  can  be  directly  mapped  to  the  computational  equations  of  RWLDT.  Further 
extensions  of  MSR,  such  as  moving  to  richer  executable  fragments  of  linear  logic 
in  the  style  of  CLF  lITHl.  a  direction  currently  investigated  by  the  first  author,  seem 
to  require  deeper  embedding  of  MSR  into  RWLDT,  an  interesting  topic  that  we 
leave  for  future  research. 

An  important  part  of  MSR,  the  data  access  specification  [0,  has  not  been  treated 
in  this  paper,  because  a  sufficiently  generic  and  concise  formulation  is  still  subject 
of  ongoing  work.  Our  most  recent  idea  to  formalize  the  data  access  specification  is 
to  use  predicates  inside  the  type  theory  to  express  the  accessibility  of  information 
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relative  to  principals.  In  combination  with  the  assertional  propositions  of  RWLDT 
this  may  simplify  the  representation  of  data  access  rules  significantly  and  would 
provide  a  great  deal  of  flexibility.  Furthermore,  the  proof  that  the  data  access  spec¬ 
ification  is  satisfied  would  become  an  object  inside  the  type  theory.  In  fact,  the 
logical  nature  of  RWLDT  is  far  from  being  fully  exploited  so  far,  which  leads  us  to 
the  last  point  of  the  conclusion. 

In  addition  to  the  automatic  symbolic  analysis  techniques  mentioned  above,  our 
two-level  architecture  opens  the  door  to  performing  formal  reasoning  at  the  level  of 
RWLDT,  which  contains  all  the  type  information  of  the  original  MSR  specification 
and  uses  practically  the  same  term  syntax.  Indeed,  interactive  theorem  proving  is 
supported  by  OCC  ifLfl.  but  to  make  use  of  it  our  translation  needs  to  be  enriched 
to  make  explicit  the  inductive  nature  of  MSR,  which  can  be  achieved  essentially 
by  adding  suitable  elimination/induction  principles.  Formal  reasoning  would  ulti¬ 
mately  rely  on  the  model-theoretic  semantics  of  OCC,  but  it  can  use  its  operational 
semantics  to  enhance  the  expressivity  of  types  and  to  provide  partial  automation  in 
proofs. 

See  http://formal.cs.uiuc.edu/stehr/msr.html  for  the  complete 
specification  of  the  Otway-Rees  example,  other  examples,  and  recent  progress  on 
the  project. 
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